URL: https://github.com/SSSD/sssd/pull/616
Title: #616: become_user: add supplementary groups so ad provider can access
keytab
asheplyakov commented:
"""
> I wonder if you wouldn't be able to achieve the same by setting the primary
> group of the _sssd user to _keytab?
This way other daemons which need access to keytab (apache, postgresql, you
name it) might be able to read sssd caches and logs (which belong to
_sssd:_keytab). It looks like
sssd is careful enough to chmod 600 all those files, yet it's better to avoid
possible bugs.
> could the keytab file allow the sssd user to read the contents with a POSIX
> ACL?
- often keytab is managed automatically by `samba-tool join` or similar tools.
Patching these tools to set proper ACLs *when sssd package is installed*
doesn't look like a good idea. On the other hand, it's enough to patch
libkrb5 to force correct group/permissions of /etc/krb5.keytab, and the patch
is simple enough (see
http://git.altlinux.org/people/sin/packages/?p=krb5.git;a=blob;f=krb5-1.16-alt-default_keytab_group.patch;h=3ea8c536d57045002b39e77992d7bf36cc94c3ac;hb=bd27c4dfd73611a0192691a2567101f4f5c89936#l100)
- also not every filesystem/kernel support POSIX ACLs (think of those NAS
devices), but virtually all sensible filesystems know what uid/gid are.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/616#issuecomment-405040134
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/YAZ3PBQJNA323MBAFZ47TEPE6XE3TFTA/